7/11/19 ISP Essentials Workshop - DNS Manila, Philippines 8-12 July 2019 1 Outline • DNS Overview – Configuration – Forward DNS and Reverse DNS – Troubleshooting • DNS Security Overview – DNS Transactions • DNSSec – DNSSEC Signing – DNSSec Key Rollover 2 1 7/11/19 Module I: DNS OVERVIEW 3 Domain Name System • A lookup mechanism for translating objects into other objects – Mapping names to numbers and vice versa • A critical piece of the Internet infrastructure 4 2 7/11/19 IP Addresses vs Domain Names The Internet DNS 202.112.0.4 www.apnic.net6 2001:0400:: 2001:0C00:8888::My Computer www.apnic.net2001:0400:: 5 Old Solution: hosts.txt • A centrally-maintained file, distributed to all hosts on the Internet • Issues with having just one file This feature still exists: [Unix] /etc/hosts – Becomes huge after some time [Windows] c:\windows\hosts – Needs frequent copying to ALL hosts // hosts.txt – Consistency SERVER1 128.4.13.9 – Always out-of-date WEBMAIL 4.98.133.7 – Name uniqueness FTPHOST – Single point of administration 200.10.194.33 6 3 7/11/19 DNS Features Globally Loosely distributed coherent Scalable Reliable Dynamic 7 7 DNS Features • Global distribution – Shares the load and administration • Loose Coherency – Geographically distributed, but still coherent • Scalability – can add DNS servers without affecting the entire DNS • Reliability • Dynamicity – Modify and update data dynamically 8 4 7/11/19 DNS Features • DNS is a client-server application • Requests and responses are normally sent in UDP packets, port 53 • Occasionally uses TCP, port 53 – for very large requests, e.g. zone transfer from primary to secondary 9 Querying the DNS – It’s all about IP! Root . .tv .gov x.y.z.a .in .jp .org .net .com .au www.example.edu.au? “Ask e.f.g.h” a.b.c.d “Ask a.b.c.d” www.example.edu.au? www.example.edu.au“Ask i.j.k.l” ? .edu.au e.f.g.h “Go to m.n.o.p” www.example.edu.au? www.example.edu.au“go to ? local example.edu.au m.n.o.p” dns i.j.k.l p.q.r.s www.example.edu.au w.x.y.z. m.n.o.p 10 5 7/11/19 The DNS Tree Hierarchy Root . net org com arpa au jp … apnic iana net edu com edu abc gu bnu whois www training www www www www FQDN = Fully Qualified Domain Name ws1 ws2 11 DNS Terminologies 12 12 6 7/11/19 DNS Components • A “name space” • Servers making that name space available • Resolvers (clients) query the servers about the name space 13 Domains • Domains are “namespaces” • Everything below .com is in the com domain • Everything below apnic.net is in the apnic.net domain and in the net domain 14 7 7/11/19 Domains Root . NET Domain AU Domain net org com arpa au apnic iana net edu com abc def whois www training www www www APNIC.NET Domain ws1 ws2 www.def.edu.au? 15 Delegation • Administrators can create subdomains to group hosts – According to geography, organizational affiliation or any other criterion • An administrator of a domain can delegate responsibility for managing a subdomain to someone else – But this isn’t required • The parent domain retains links to the delegated subdomain – The parent domain “remembers” to whom the subdomain is delegated 16 8 7/11/19 Zones and Delegations • Zones are “administrative spaces” • Zone administrators are responsible for a portion of a domain’s name space • Authority is delegated from parent to child 17 Zones Root . NET Domain NET Zone net org com arpa apnic iana APNIC.NET Zone whois www training www TRAINING.APNIC.NET APNIC.NET Zone doesn’t Zone APNIC.NET include TRAINING.APNIC.NET since it has been “delegated” Domain ns1 ns2 18 9 7/11/19 Name Servers • Name servers answer ‘DNS’ questions • Several types of name servers – Authoritative servers Primary • master (primary) • slave (secondary) – Caching or recursive servers • also caching forwarders • Mixture of functions Secondary 19 Root Servers • The top of the DNS hierarchy • There are 13 root name servers operated around the world [a-m].root-servers.net • There are more than 13 physical root name servers – Each rootserver has an instance deployed via anycast 20 10 7/11/19 Root Servers http://root-servers.org/ 21 Root Server Deployment at APNIC • Started in 2002, APNIC is committed to establish new root server sites in the AP region • APNIC assists in the deployment providing technical support. • Deployments of F, K and I-root servers in – Singapore, Hong Kong, China, Korea, Thailand, Malaysia, Indonesia, Philippines, Fiji, Pakistan, Bangladesh, Taiwan, Cambodia, Bhutan, and Mongolia 22 11 7/11/19 Resolver • Or “stub” resolver • A piece of software (usually in the operating system) which formats the DNS request into UDP packets • A stub resolver is a minimal resolver that forwards all requests to a local recursive nameserver – The IP address of the local DNS server is configured in the resolver. • Every host needs a resolver – In Linux, it uses /etc/resolv.conf • It is always a good idea to configure more than one nameserver 23 Recursive Nameserver • The job of the recursive nameserver is to locate the authoritative nameserver and get back the answer • This process is iterative – starts at the root • Recursive servers are also usually caching servers • Prefer a nearby cache – Minimizes latency issues – Also reduces traffic on your external links • Must have permission to use it – Your ISP’s nameserver or your own Recursive/Caching Nameserver 24 12 7/11/19 Authoritative Nameserver • A nameserver that is authorised to provide an answer for a particular domain – Can be more than one auth nameserver • Two types based on management method: – Primary (Master) and Secondary (Slave) • Only one primary nameserver – All changes to the zone are done in the primary • Secondary nameserver/s will retrieve a copy of the zonefile from the primary server Secondary – Slaves poll the master periodically • Primary server can “notify” the slaves Primary Secondary 25 Resource Records • Entries in the DNS zone file • Components: Resource Record Function Label Name substitution for FQDN TTL Timing parameter, an expiration limit Class IN for Internet, CH for Chaos Type RR Type (A, AAAA, MX, PTR) for different purposes RDATA Anything after the Type identifier; Additional data 26 13 7/11/19 Common Resource Record Types RR Type Name Functions A Address record Maps domain name to IP address www.example.com. IN A 192.168.1.1 AAAA IPv6 address record Maps domain name to an IPv6 address www.example.com. IN AAAA 2001:db8::1 NS Name server record Used for delegating zone to a nameserver example.com. IN NS ns1.example.com. PTR Pointer record Maps an IP address to a domain name 1.1.168.192.in-addr.arpa. IN PTR www.example.com. CNAME Canonical name Maps an alias to a hostname web IN CNAME www.example.com. MX Mail Exchanger Defines where to deliver mail for user @ domain example.com. IN MX 10 mail01.example.com. IN MX 20 27 mail02.example.com. Example: RRs in a zone file apnic.net. 7200 IN SOA ns.apnic.net. admin.apnic.net. ( 2015050501 ; Serial 12h ; Refresh 12 hours 4h ; Retry 4 hours 4d ; Expire 4 days 2h ; Negative cache 2 hours ) apnic.net. 7200 IN NS ns.apnic.net. apnic.net. 7200 IN NS ns.ripe.net. www.apnic.net. 3600 IN A 192.168.0.2 www.apnic.net 3600 IN AAAA 2001:DB8::2 Label TT Class Type Rdata L 28 14 7/11/19 Places where DNS data lives Changes do not propagate instantly Might take up to ‘refresh’ Slave to get data from master Upload of zone Not going to net if TTL>0 data is local policy Cache server Master Slave server Registry DB 29 Delegating a Zone • Delegation is passing of authority for a subdomain to another party • Delegation is done by adding NS records – Ex: if APNIC.NET wants to delegate TRAINING.APNIC.NET training.apnic.net. NS ns1.training.apnic.net. training.apnic.net. NS ns2.training.apnic.net. • Now how can we go to ns1 and ns2? – We must add a Glue Record 30 15 7/11/19 Glue Record • Glue is a ‘non-authoritative’ data • Don’t include glue for servers that are not in the sub zones Only this record needs glue training.apnic.net. NS ns1.training.apnic.net. training.apnic.net. NS ns2.training.apnic.net. training.apnic.net. NS ns2.example.net. Glue training.apnic.net. NS ns1.example.net. Record ns1.training.apnic.net. A 10.0.0.1 ns2.training.apnic.net. A 10.0.0.2 31 Delegating training.apnic.net. from apnic.net. ns.apnic.net ns.training.apnic.net 1. Add NS records and glue 1. Setup minimum two servers 2. Make sure there is no other data 2. Create zone file with NS records from the training.apnic.net. zone in 3. Add all training.apnic.net data the zone file 32 16 7/11/19 Remember ... • Deploy multiple authoritative servers to distribute load and risk – Put your name servers apart from each other • Use cache to reduce load to authoritative servers and response times • SOA timers and TTL need to be tuned to the needs of the zone – For stable data, use higher numbers 33 Performance of DNS • Server hardware requirements • OS and the DNS server running • How many DNS servers? • How many zones are expected to load? • How large are the zones? • Zone transfers • Where are the DNS servers located? • Bandwidth 34 17 7/11/19 Performance of DNS • Are these servers Multihomed? • How many interfaces are to be enabled for listening? • How many queries are expected to receive? • Recursion • Dynamic updates • DNS notifications 35 36 18 7/11/19 Module 2: DNS CONFIGURATION 37 DNS Software • DNS BIND – authoritative + recursive server • Unbound - caching DNS resolver • NSD – authoritative only nameserver • Microsoft DNS – provided with the Windows Server • Knot DNS – authoritative only nameserver • PowerDNS – data storage backends 38 19 7/11/19 BIND • Berkeley Internet